Friday, July 03, 2009

EyeWonder Malware Incident Affects Popular Web Sites

During the last couple of hours, visitors of popular and high trafficked web sites such as CNN, BBC, Washington Post, Gamespot, WorldOfWarcraft, Mashable, Chow.com, ITpro.co.uk, AndroidCommunity; Engadget and Chip.de, started reporting that parts of the web sites are unreachable due to malware warnings appearing through the EyeWonder interactive digital advertising provider.

Let’s assess the butterfly effect of a single malware incident affecting an ad network whose ads get syndicated across the entire Web.

What originally started as “we have been mistakenly flagged as malware“, briefly turned into “appears the EW.com domain was potentially maliciously “hacked” causing these errant and erroneous alerts to appear” malware incident.

Is the EyeWonder attack a typical malvertising campaign where malicious content is pushed on legitimate sites through the ad network, or did their web site actually got compromised in the ongoing Cold Fusion web sites compromise attack?

Sadly, it could be an indication of both, since I managed to reproduce the actual exploit serving attack at the Washington Post, using the exact link given by an affected reader within the comments of the article. However, what might have triggered the actual badware alert appears to a compromise of the site itself.

1 Comments:

EyeWonder.com ad serving domains were erroneously tagged as a malicious domain by the automated systems at Google. The automated Google system detected some malicious code on a different eyewonder domain than where ads are served, which according to http://blogs.zdnet.com/security/?p=3694 was a Coldfusion security hole affecting a large chunk of the web. When discovered, it was quickly solved by Eyewonder. Google incorrectly flagged ALL of eyewonder.com as a malicious threat to users, when in fact the code was not in any way acting maliciously towards users or the sites on which the ads were serving and not any real threat. While a small amount of Eyewonder's ad delivery was effected by this malicious attack, EyeWonder was not responsible for this code, no users were in danger of being maliciously attacked, and that the situation was quickly identified, addressed and resolved by EyeWonder. The automated system has not yet cleared the domain eyewonder.com even though the issue has been resolved by Eyewonder. Google can prevent this issue by going forward by not blanket-marketing all subdomains as malicious and focus only on the affected subdomain.